Cloud Solution Architect @ Microsoft

During the last years as an architect for Azure services, there is a set of questions and areas that always come-up, you will find here the reference materials I use to answer RFP or customer enquiries. This post assumes you already have some Azure expertise in the subjects covered, but are in search of good reference materials for documentation purposes.

Networking and connectivity

When you design a solution running in Azure, it will most of the time run on Virtual Networks, you can connect those to:

Your datacenter via IPsec VPN: you use the internet to transport IPsec-encrypted packets. Since it’s the internet, there’s no SLA on the link availability, but the IPsec gateway is backed by a 99.95% SLA and the speed can go up to 1 Gbps.

Your datacenter via ExpressRoute: it’s a private connection, SLA-backed by your service provider up to 99.95%. The speed can go up to 10 Gbps if necessary.

Internet via a Public IP: that public IP endpoint is highly available, load balanced if needed, protected by our DoS protection service. Those operations are done by Azure but you can leverage Network Virtual Appliancesfrom the marketplace in order to add additional features like layer-7 inspection. If you want to use WAF-as-a-Service, you can also leverageAzure Application Gateway.

High availability, Disaster Recovery and SLA

When you build solutions on Azure, your choose the physical location of your data, which is replicated on 3 hard disk drives (based on Locally Redundant Storage), it can be replicated to another region in order to offer additional redundancy in a location with hundreds miles from the previous (3 additional copies of your data).

Cross-regions: by duplicating the first deployment in another region. You replicate the data using application-level replication orAzure Site Recovery, then you load balance the solution using Traffic Manager.

For all Virtual Machines that have two or more instances deployed in the same Availability Set, we guarantee you will have Virtual Machine Connectivity
to at least one instance at least 99.95% of the time.For any Single Instance Virtual Machine using premium storage for all Operating System Disks and Data Disks, we guarantee you will have Virtual
Machine Connectivity of at least 99.9%.

We guarantee that at least 99.9% (99% for Cool Access Tier) of the time, we will successfully process requests to read data from Locally Redundant Storage (LRS), Zone Redundant Storage (ZRS), and Geo Redundant Storage (GRS) Accounts.

Datacenter operations & compliance

Azure will very likely exceed any possible best practices and compliance regulation level that you see in a customer-run datacenter. Azure does not usually allow customers to directly audit against best practices, however we are working to certify Azure against the most relevant certifications, in the world, regionally, and locally as well as the most strict industry standards.

Threat protection, detection and incident response

How does Microsoft protect instances, how does Microsoft and I do incident response? Is there a DoS protection service include and IDS/IPS? Can I or a partner conduct penetration testing to a solution in Azure?

Operations Excellence

How do I operate, manage, an environment in Azure, how do I manage separation of roles and duties, how is done RBAC?

Customers can integrate their on-premises Active Directory with Azure Active Directory and then manage, delegate access using RBAC. When customer use Azure Active Directory, they can use all feature of Azure Active Directory Premium and also enable Just in time admin, which will elevat

We continue our series of “Getting Started” articles, with most up-to-date information I use with Microsoft Partners and customers when enabling them with Azure infrastructure services. I follows the same structure which is: getting started, training videos if available, then reference architectures, capacity planning and pricing information.

Backup is generally not creating a lot of excitement in IT teams, that’s the very least we can say. The fundamentally difficult parts of it are:

defining data retention and archival policies.

defining the appropriate sizing for the solution.

executing the offsite data copy policy.

I’m not even talking about testing the restore of the backup, because people usually don’t do it

Here’s really why Azure can help:

You only have to size for the local backup storage system, archival is done is the cloud.

With all hidden costs of tape systems included like offsite processing, storage on cloud is very likely to be always cheaper than any on-premises storage.

You can easily test restoring data in a separate and isolated environment.

You can easily backup files on servers and client with a small backup agent

You can easily backup your applications running on Hyper-V on Vmware with Azure Backup Server.

In this series of “Getting Started” articles, I will post the most up-to-date information I use with Microsoft Partners and customers when enabling them with Azure infrastructure services. I follows the same structure which is: getting started, training videos if available, then reference architectures, capacity planning and pricing information.

Disaster Recovery Plans aka DRP is one the most ungrateful work in IT. Because basically you are going to prepare for some situations that will be painful and difficult. However, this is a good exercise to protect against one of the most prevalent laws in IT: “Anything (Everything) will fail at some point, and very likely at the worst time”.

It puts you in a state of mind that most of people don’t like.and you will ask your boss money for something that you hope will never be used.

That’s where the cloud can help, for both virtualized and non virtualized workloads. Here’s how in 4 easy steps:

First step consists of replicating your production workloads as they are running.

As I help customers and partners to build VM and various infrastructure services on Azure, I started to accumulate a lot of tools to make life easier. Here is my list, feel free to comment and share yours, I’d be happy to learn about new ones!

If you are MCSA certified on Windows Server 2012 or Windows Server 2008, you might want to upgrade your certification to Windows Server 2016. Fortunately you don’t have to go through the whole curriculum again and can just upgrade to MCSA Windows Server 2016 with one exam.

As an upgrade certification, 70-473 mainly verifies that you know the new features and differences compared to Windows Server 2012, so a very nice starting point is to review all the “What’s new in Windows Server 2016” sections for the different technologies and study their prerequisites, deployments methods and management techniques. The outline of this certification is located here: https://www.microsoft.com/en-us/learning/exam-70-743.aspx

Below is my list of links mapping to the different exam categories. This list is here to help you review before going to the exam, but of course is not sufficient to pass and you will need some hands-on experience to succeed.

Install Windows Servers in host and compute environments

There has been some significant improvements in the toolset you use to manage Windows, including a whole set of commands to manage the new DIY edition of Windows: Nano Server. In this area we check your basic knowledge of DSC to manage configurations of Windows, and let me remind you that you cannot anymore switch from graphical to core editions of Windows and vice/versa. Very importantly we want to make sure you know how to service images online or offline.

Implement storage solutions

In this section we verify that you know how to configure a resilient storage infrastructure including support for DCB, Multipath IO and SMB 3.0. We verify that you know the scenarios and mechanisms for Storage replica server to server, cluster-to-cluster and in stretch cluster topology.

Implement Hyper-V

Hyper-V has evolved and now allows nested virtualization, secure boot with Linux VM, and PowerShell direct. Production checkpoints allows to do VM “snapshots” that are using VSS providers so that you can use that as a valid “backup”. Shielded VM (preventing the fabric administrator to access the VM data and to run the VM in another fabric.) are also a topic to work before you go to the exam.

Manage VM movement in clustered nodes

Implement Domain Name System (DNS)

The DNS service in Windows Server 2016 implements a couple of new features like policies which allows you to send different results to client request based on criteria like subnets or hour of the day. It allows also to query IPv6 root hints by default and has a request pacer to limit request-intensive clients.

Implement IP Address Management (IPAM)

Windows IPAM has new scenarios and integrated management possibilities. It will basically allows you to manage more efficiently your DNS and DHCP infrastructure without having the need to logon to the different consoles and granting you a better view on the whole infrastructure, physical or virtualized with VMM.

Implement network connectivity and remote access solutions

DirectAcccess had no major evolution in Windows Server 2016, so you can rely on your Windows Server 2012 R2 knowledge. Most of the new features are related to SDN multi-tenant gateway implementation and BGP support.

Implement an advanced network infrastructure

In this section, we evaluate your knowledge of the new SDN architecture of Windows Server 2016. It now has a real SDN controller which is acting as a central point to manage and deploy network definitions and policies via software calls.

Install and configure Active Directory Domain Services (AD DS)

AD has new features mainly related to Azure AD integration, better security and Just in Time Admin concepts. For the exam, we will also check that you know how to administer replication topology and FSMO roles operations in PowerShell.